Situational Awareness For Computer Network Security

Presented By Ayesha Khaliq

Contents What is Situational Awareness Why situational awareness for computer network security Traditional SA Cyber SA Simple scenario of cyber Attack Factors Instance based learning theory model(IBLT) conclusion

What is Situational Awareness?? Situation awareness (SA) involves being aware of what is happening in the vicinity

It is also a field of study concerned with perception of the environment critical for decision-makers in complex areas from aviation, air traffic control, power plant operations, military command and control, and IT services.

Why Situational Awareness in Computer Networks For security purpose many organizations have their own

Computer Security Incident Response Teams which are responsible for ensuring, availability and integrity and confidentiality of network services. Their main key responsibility is to maintain situational awareness over thousands of network objects and events .

In short situational awareness is the prevention from threats and future crimes in the field of computer network security

Traditional SA:Normally situational awareness involves predictions related to time, space references and object. For describing Traditional situational awareness we can take the example of aircraft pilot, from his point of view, he should take care of aircraft status, speed, direction ,position(long, lat),the location of other aircraft, friends, enemies, surrounding landing sites and the mission

Cyber SA:

when we talk about cyber situational awareness so one should aware from status and the topology of IT infrastructure which is complex to handle. Network component are usually located using reference in logical architecture.

Simple Scenario of Cyber AttackThe cyber infrastructure typically consists of web server and fileserver that are protected by two firewall in demilitarized zone (DMZ), where DMZ separates the external network (internet) and company’s internal network(LAN). The web server involves with customer interactions on a company’s website while the fileserver is a repository for many workstations that are internal to the company and that allow company employees to do their daily operations . The firewall 1 controls the traffic between DMZ and the internetFirewall 2 allows a Network File System (NFS) protocol access between the fileserver and web server

Scenerio of Cyber Attack:

In this cyber infrastructure mostly attackers follows a sequence of “Island Hopping Attack” where the web server is compromised first, and then the web server is used to originate attacks on the fileserver (through venerability in the NFS protocol) and other company workstations

In this simple scenario, a security analyst is exposed to a sequence of 25 network events (consisting of both threat and non-threat events), whose nature is not precisely defined to a security analyst

He is also able to observe alerts that correspond to some network events using an intrusion detection system (IDS) (Jajodia et al., 2010). The IDS raises an alert for suspicious file executions or suspicious packet transmission events that is generated on the corporate network

FactorsThe knowledge level of the analyst in terms of the mix of threat and non-threat experiences stored in analyst’s memory.

The analyst’s risk-tolerance level, i.e., the willingness of an analyst to classify a sequence of events as a cyber-attack.

The analyst’s similarity model, i.e., the process that the analyst uses to compare network events with prior experiences that are stored in his memory

Instance Based Learning Theory Model for Security Analyst

IBLT is a theory of how people make decisions from experience in complex environmentsIBLT proposes that people represent every decision making situation as instances that are stored in memoryIBLT composed of three part :Situation(S),Decision(D),and Utility(U)

Implementation of IBLT

The IBL model of the security analyst can be implemented by using Matlab software

ConclusionDue to the growing threat to our cyber infrastructure and the heightened need to implement cyber security, it becomes important to evaluate the cyber situation awareness (cyber-SA) of security analysts in different cyber-attack scenarios. In this research, I suggest a memory-based account, based upon instance-based learning theory, of the decisions of a security analyst who is put in a popular cyber-attack scenario of an island-hopping attack

References

http://www.hss.cmu.edu/departments/sds/ddmlab/papers/Dutt.Gonzalez.2012

ftp://ftp.rta.nato.int/Pubfulltext/RTO/MP/RTO-MP-IST-043/MP-IST-043-20

Thank You!!